Ask Your Question
0

[Liberty w' RDO] floating IP addresses not working with Cisco ASA 5505

asked 2015-12-14 23:46:03 -0500

tcesposito gravatar image

I have successfully setup 2 OpenStack Kilo installations with the external network as a flat network using RDO project packstack. I have followed the same procedure for a network setup with packstack and OpenStack Liberty, but the flat network routing is not working correctly and I suspect the Cisco ASA 5505 router may be the culprit. I am getting the VM's private subnet IP address (10.1.0.4) when I ping the floating IP address (192.168.10.217).

ping 192.168.10.217
PING 192.168.10.217 (192.168.10.217) 56(84) bytes of data.
64 bytes from 10.1.0.4: icmp_seq=1 ttl=63 time=1.92 ms
64 bytes from 10.1.0.4: icmp_seq=2 ttl=63 time=0.966 ms

I've looked at tcdump, ovs-vsctl show, ovs-ofctl dump-flows, and other sources for troubleshooting. I clearly see this is a packet routing problem on return trips. For instance, when I attempt to ssh into the VM, packets reach the VM, but then the connection is reset on VM while the client receives no return packets.

On question I have is should I make the external network gre or vlan with the assigned vlan ID of that external subnet (setup in Cisco router) and keep all tenant networks as vxlan? Another option I see is making everything gre, which means I need to wipe out all networks I already setup. Going all vlan is not an option because the router only has a license for a few vlans, which is already taken up.

I have also noticed that the MAC address registered in the external network router is that of the virtual router connecting the private subnet and the external subnet, meaning that multiple VMs register the same MAC address with multiple floating IP addresses. On one of the Kilo installations that works fine, I noticed the IP address associated with private subnet router MAC will simply change frequently with a Cisco RV320 router. This is where I see the Cisco ASA 5505 behave differently and it is keeping multiple IP address entries with the same MAC address.

For reference, here are some of the key relevant configurations. OpenVSwitch is used for software-defined networking. packstack and OpenStack setup all firewall rules and IP routes, all of which look very legitimate, but would be happy to share if interested. There is also a 172.16.100. network for all backend service traffic, which seems to be working well for the internal zone. Most other configurations are the defaults setup by packstack.

/etc/neutron/l3_agent.ini

[DEFAULT]
interface_driver =neutron.agent.linux.interface.OVSInterfaceDriver
external_network_bridge = br-ex

/etc/neutron/plugins/ml2/ml2_conf.ini

[ml2]
type_drivers = flat,vxlan
tenant_network_types = vxlan

[ml2_type_flat]
flat_networks = *

[ml2_type_vxlan]
vni_ranges =10:100
vxlan_group =224.0.0.1

[securitygroup]
enable_security_group = True

/etc/neutron/plugins/ml2/openvswitch_agent.ini

[ovs]
integration_bridge = br-int
tunnel_bridge = br-tun
local_ip =172.16.100.201
bridge_mappings =physnet1:br-ex

[agent]
tunnel_types =vxlan

/etc/sysconfig/network-scripts/ifcfg-br-ex

DEVICE=br-ex
DEVICETYPE=ovs
TYPE=OVSBridge ...
(more)
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-12-16 13:11:59 -0500

tcesposito gravatar image

I tried vlan setup, but that didn't work. I then removed the physical network from neutron and setup as flat network a second time. I noticed the mapping of physical network device in openvswitch_agent.ini (physnet1) did not match what was setup for the network in neutron (extnet). Once they matched, all routing worked correctly.

neutron net-create external_network --provider:network_type flat --provider:physical_network extnet --router:external --shared
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-12-14 23:40:09 -0500

Seen: 627 times

Last updated: Dec 16 '15